Case spotlights the fraught intersection of HIPAA and social media. Social media helps drive business, and many medical practices utilize it. But a recent case highlights the importance of revisiting HIPAA with your staff before too many details about your practice and your patients are revealed online. Background: The Dallas-based dental practice Elite Dental Associates settled with the HHS Office for Civil Rights (OCR) for unlawfully exposing a patient’s protected health information (PHI) via social media. Elite will pay $10,000 to the feds for the HIPAA violation; plus, the dentist will enter into a two-year corrective action plan (CAP) to assist with its compliance issues, according to an OCR brief. The incident that prompted the violation occured in June 2016 after a patient complained about the exposure of their PHI on the Yelp review page. After an OCR investigation, it was uncovered that Elite had revealed the identity of not one — but many — patients on the social media platform. Due to a lack of HIPAA protocols and procedures, the dental firm failed to implement policies to deal with “disclosures of PHI to ensure that its social media interactions protect” patients; moreover, Elite didn’t institute a strong “Notice of Privacy Practices that complied with the HIPAA Privacy Rule,” OCR says. “Social media is not the place for providers to discuss a patient’s care,” cautions Roger Severino, OCR director, in a release. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.” “While no one likes to see unflattering and/or untrue comments about them or their business online or in the media, HIPAA (and many state medical confidentiality laws) prevents healthcare providers from responding to such comments in a way that discloses the PHI of any patient without that patient’s written authorization,” reminds Florida-based attorney Elizabeth F. Hodge, with national law firm Akerman LLP in the Health Law Rx blog. Slimmer Fines Signal Feds’ Alignment with Burden-Reduction Policies What’s particularly interesting about this case is the lower-than-usual penalty the OCR enforced after Elite haggled with the feds to reduce the fine. However the practice was helpful during negotiations, and the feds apparently factored that into their decision making, the OCR release suggests. “It is always difficult to comment about the amount collected in these settlements. We never have a full record of the facts or the discussions that led to the settlement,” notes Philadelphia-based attorney Edward I. Leeds, with Ballad Spahr LLP. “In the Elite Dental settlement, it appears as if OCR recognized that the settlement amount was small and offered an explanation in its press release: size, financial circumstances, and cooperation.” Reduced fines may be related to the feds’ nonstop deregulation and burden-reduction renaissance, too, suspect experts. “I think some of the recent fines have been lower than might be expected based on past settlements for similar actions,” says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “There are explanations given, but I think there is an effort to reduce penalties as part of regulatory burden reduction efforts by the current administration.” Sheldon-Dean continues, “That said, HHS has always been mindful of not wanting to put anyone out of business, yet ensuring the violators do feel some pain for their transgressions. Smaller entities tend to get smaller penalties. Is this one too small? Hard to say.” Remember: This isn’t the first surprisingly small settlement of the year. In May, the software and EMR firm Medical Informatics Engineering, Inc. (MIE) agreed to pay OCR $100,000 for a 2015 violation that exposed the PHI of 3.5 million individuals. Even though MIE is a business associate (BA), the slight amount was shocking; however, 16 states followed up with another $900,000 in penalties to round out MIE’s total to a cool $1 million (see Health Information Compliance Alert, Vol. 19, No. 6). “Those numbers also seemed a bit low compared to earlier breaches, despite the combination with the states,” Sheldon-Dean notes. And he reminds, “States can always prosecute under their own laws. If they want to prosecute a civil action under HIPAA, they need to coordinate with HHS, but it is permitted.” “The MIE settlement did seem small,” agrees Leeds. But, “the sample space of settlements is too small to draw hard and fast conclusions,” he adds. Leeds mentions another case that had a more substantial outcome. “Earlier this year, Premera Blue Cross reached a $10 million settlement with 30 states over a large 2014 breach,” he recalls. So far, Texas has not released any arrangements with Elite Dental or settled any fines on the state level — but it could bring an action against the practice in the future. “Although state attorneys general may bring actions to enforce HIPAA, individuals do not have a private right to sue under HIPAA and would, therefore, need to bring a lawsuit on other grounds,” explains Leeds. Resource: Read about the Elite Dental settlement at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html.